Remote Host Port Number
92.241.164.101 47221
NICK [N00_USA_XP_3095115]
USER SP2-861 * 0 :COMPUTERNAME
MODE [N00_USA_XP_3095115]
A -ix
JOIN #nbot-poly
MODE #nbot-poly -ix
Details of 92.241.164.101
IP Address : 92.241.164.101
Location : Unknown
Host Name : vps3401_VZw2k3.2×4.ru
Other details
* The following port was open in the system:
Port Protocol Process
1052 TCP WindowsUpdate.exe (%Windir%WindowsUpdate.exe)
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
+ Microsoft Driver Setup = “%Windir%WindowsUpdate.exe”
so that WindowsUpdate.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Microsoft Driver Setup = “%Windir%WindowsUpdate.exe”
so that WindowsUpdate.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
WindowsUpdate.exe %Windir%windowsupdate.exe 348 160 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %Windir%log32.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)
2 [file and pathname of the sample #1]
%Windir%WindowsUpdate.exe 75 776 bytes MD5: 0x673483E7C43EE065C3D68D47AC4D1343
SHA-1: 0x4DD34BD1E79D00398382D0EF40EA743812CBD039 Backdoor.IRC.Bot [Symantec]
Backdoor.Win32.EggDrop.aag [Kaspersky Lab]
BackDoor-ELN [McAfee]
Mal/Resdro-A [Sophos]
VirTool:Win32/Injector.gen!AR [Microsoft]
Backdoor.Win32.EggDrop [Ikarus]